Shared secrets shhh ! Easily breached, stolen, or phished
Preview:
Citation preview
- Slide 1
- Slide 2
- Slide 3
- Shared secrets shhh ! Easily breached, stolen, or phished
- Slide 4
- introducing Microsoft "Passport" Replace passwords with a
private key made available solely through a user gesture (PIN,
Windows Hello, remote device, etc.) GOALS: Support both local
Passport and Passport2Go (phone, USB dongle, etc.) Introduce MSFT
Passport because of its convenience first and security first, UX
must be at least as good as with passwords
- Slide 5
- using Microsoft "Passport" THE CREDENTIAL Public key of
Passport is mapped to an user account Proof-able with OTP, Code and
PhoneFactor To the user, its familiar, Windows Hello or PIN user
gesture To IT its familiar as its based on certificate or
asymmetrical key pair
- Slide 6
- using Microsoft "Passport" THE USAGE Keys are ideally generated
in hardware (TPM) first, software as a last resort Hardware-bound
keys can be attested Browser support via JS/Webcrypto apis to
create and use Passport for users Single unlock gesture provides
access to multiple credentials origin isolated
- Slide 7
- Authentication For Orgs & Consumers IDP Active Directory
Azure Active Directory Microsoft Account Other IDPs 1 User 2
Windows 10 3 Intranet Resource 44 Intranet Resource A NEW APPROACH:
KEY BASED
- Slide 8
- Hardware Secured Keys
- Slide 9
- A baby can identify its mother by the time it's a month old Our
devices could not do it None of our senses operated in the digital
world until recently
- Slide 10
- Slide 11
- Slide 12
- Enrollment :) Find a Face Discover Landmarks Detect Head
Orientation Build & Secure Vector based Template
- Slide 13
- Usage :) Find a Face Discover Landmarks Detect head Orientation
Build Vector based Representation Does it match a Template?
- Slide 14
- Recovery :) Find a Face Does not Match Template Type a PIN to
verify your identity
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Windows Biometric Service Biometric Credential Provider Windows
Biometric Client API ( WinBio.DLL ) Win32 Apps UAP apps Windows
Runtime (WinRT) Engine Adapter Storage Adapter (inbox but can be
replaced by 3 rd party if needed) Sensor Adapter (inbox but can be
replaced by 3 rd party if needed) Windows Biometric Device
Interface (WBDI) Driver Sensor Enrollment OS component 3 rd party
application 3 rd party driver and companion components
- Slide 24
- Inbox functionality Works across a variety of devices running
Windows 10 Integrated anti-spoofing countermeasures to mitigate
physical attacks Consistent image (via IR) in diverse lighting
conditions allows for subtle changes in appearance -- including
facial hair, cosmetic makeup, eyewear, etc. Windows Hello with Iris
and Face
- Slide 25
- Fingerprint Sensor FPC1021Fingerprint Sensor FPC1150Next
Biometrics NB-1010-S Thermal The World is moving towards small,
touch based Sensors. These sensors can fit on almost any device
Taken from www.fingerprints.com image of the Huaweis Ascend Mate
7www.fingerprints.com Ultrasound Capacitive (CMOS)
- Slide 26
- So why do we need to change our experiences?
- Slide 27
- Slide 28
- Slide 29
- Slide 30